Configuring User Roles
In the user-centric network, the user role of a wireless client determines its privileges and the type of traffic that it can send or receive in the wireless network. You can configure roles for clients that use mostly data traffic, such as laptops, and roles for clients that use mostly voice traffic, such asVoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network.phones. Although there are different ways for a client to derive a user role, in most cases the clients using data traffic are assigned a role after they are authenticated through a method such as802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.,VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two., orcaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. The user role forVoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network.phones may also be derived from theOUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.of theirMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.addresses or theSSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.to which they associate. Refer toRoles and Policiesfor details on how to create and configure a user role.
This section describes how to configure voice user roles with the required privileges and priorities.Managed Deviceprovides default user roles for all voice services. You can do one of the following:
Creating or Modifying Voice User Roles
Using the User-Derivation Rules
Using the Default User Role
Managed Deviceis configured with the default voice role. This role has the following settings:
No limit on upload or download bandwidth
DefaultL2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations.andPPTPPoint-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.pool
Maximum sessions: 65535
The followingACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.are associated with the default voice role:
global-sacl
apprf-voice-sacl
ra-guard
wificalling-aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.
voip-applications-aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.
For more details on the default voice role, enter the following command in theMobility Master:
(host) [mynode] #show rights voice
Creating or Modifying Voice User Roles
You can create roles for Facetime, H.323, Jabber,NOENew Office Environment. NOE is a proprietary VoIP protocol designed by Alcatel-Lucent Enterprise., SCCP, Skype for Business,SIP会议Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls.,SVPSpectraLink Voice Priority. SVP is an open, straightforward QoS approach that has been adopted by most leading vendors of WLAN APs. SVP favors isochronous voice packets over asynchronous data packets when contending for the wireless medium and when transmitting packets onto the wired LAN.,vocera和Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard.calling ALGs. The following procedure describes how to configure user roles for any of the ALGs:
1.In thenode hierarchy, navigate to.
2.In thetab, clickto add a policy.
3.For, enter a name.
4.For, select.
5.Click.
6.Select the newly added policy.
7.In, clickto add a new rule.
8.Selectoption as the rule type.
9.Click.
10.Under, configure the following settings:
a.For, select.
b.For, select.
c.For, select.
d.For, select service, then the correct voice or videoALGApplication Layer Gateway. ALG is a security component that manages application layer protocols such as SIP, FTP and so on.service. SeeTable 1andTable 2for service names for all ALGs:
ALG |
Service Name |
NOENew Office Environment. NOE is a proprietary VoIP protocol designed by Alcatel-Lucent Enterprise. |
svc-noe sip-noe-oxo |
svc-sip-tcp svc-sip-udp |
|
SIPS |
svc-sips |
svc-svp |
|
VOCERA |
svc-vocera |
SCCP |
svc-sccp |
H.323 |
svc-h323-tcp svc-h323-udp |
ACL |
Service Name |
svc-dhcp |
|
svc-tftp |
|
svc-icmp |
|
svc-dns |
e.For, select.
f.For, select a value. -- denotes lowest priority. 7 denotes highest priority.
g.Click. Repeat steps 1 to 5 to addACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.for moreVoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network.protocols.
11.Select thetab. Clickto add a user role.
12.In thewindow, for, enter a name for the user role.
13.Click.
14.Select the newly added role.
15.In thesection, click. Configure the following settings:
a.Under, click.
b.In thewindow, select theoption.
c.In thedrop-down list, select the previously-configured policy name.
d.Click.
e.Under, click.
f.In thewindow, select theoption.
g.In thedrop-down list, select.
h.Click.
16.Click.
17.In thewindow, select the check box and click.
The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands configure user roles for ALGs:
(host) [md] (config) #ip access-list session
(host) ^[md] (config-submode) #any any
The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands map the policy name to the user role:
(host) [md] (config) #user-role
(host) ^[md] (config-submode) #access-list session
Replace the following strings:
policy-namewith a string that you want to identify the roles policy
role-name名字要一致格fy the voice user role
service-namewith any of the service names from
Using the User-Derivation Rules
The user role can be derived from the attributes of the client association with an AP. ForVoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network.phones, you can configure the devices to be placed in their user role based on theSSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.or theOUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.of theMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.客户的地址。以下过程描述了如何根据SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:
User-derivation rules are executedbeforethe client is authenticated. |
1.In thenode hierarchy, navigate to.
2.In, click.
3.In thewindow, enter a name for the user rule and click.
4.In, select the name of the user rule to configure the rule set.
5.In, clickand configure the following settings:
a.For, selectfrom the drop-down list.
b.For, select.
c.For, select.
d.For, enter theSSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.used for the phones.
e.For, select the user role previously created.
6.Click.
7.Click.
8.In thewindow, select the check box and click.
Run the following commands to derive a role based onSSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:
(host) [md] (config) #aaa derivation-rules user
(host) ^[md] (config-submode) #set role condition essid equals
Deriving Role Based on MAC OUI
The following procedure describes how to derive a role based onMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.:
1.In thenode hierarchy, navigate to.
2.In, click.
3.In thewindow, enter a name for the user rule and click.
4.In, select the name of the user rule to configure the rule set.
5.In, clickand configure the following settings:
a.For, selectfrom the drop-down list.
b.For, select.
c.For, select.
d.For, enter the first three octets (theOUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.) of theMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.address of the phones (for example, the SpectralinkOUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.is 00:09:7a)
e.For, select the user role previously created.
6.Click.
7.Click.
8.In thewindow, select the check box and click.
Run the following commands to derive a role based onMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.:
(host) [md] (config) #aaa derivation-rules user
(host) ^[md] (config-submode) #set role condition macaddr contains
